Introduction
介绍
This document lists all the option that is recommended to help you secure your CISCO IOS system devices,which increases the overall security of your network
这篇文档包含了建议你使用的一些安全选项,旨在帮助你加强使用 CISCO IOS 系统的设备的安全性,从整体上整体加强网路安全。
service sequence-numbers
Each system status messages logged in the system logging process have a sequence reference number applied. This command makes that number visible by displaying it with the message. The sequence number is displayed as the first part of the system status message.
每个记录的系统状态信息在进行记录的时候都会有一个对应的序列号。这个命令可以使在显示这条记录的时候显示这个序列号。这个序列号在每条记录的最前面。
!
service sequence-numbers
!
clock set
Generally, if the system is synchronized by a valid outside timing mechanism, such as a Network Time Protocol (NTP) or VINES clock source, or if you have a router with a hardware clock, you need not set the software clock. Use this command if no other time sources are available. The time specified in this command is assumed to be in the time zone specified by the configuration of the clock timezone command.
一般的,如果系统时间可以使用外部可用的 NTP 或者 VINES 时钟,或者你的路由器有个一硬件时钟,你不需要自己设置时钟。但是如果没有这些时钟,下面的命令可以指定系统时钟。
!
clock set hh:mm:ss day month year
!
clock timezone
To set the time zone for display purposes, use the clock timezone command in global configuration mode.
使用下面的命令设置时区。
!
clock timezone GMT +8
!
No Service Password-Recovery
The No Service Password-Recovery feature is a security enhancement that prevents anyone with console access from accessing the router configuration and clearing the password. It also prevents anyone from changing the configuration register values and accessing NVRAM.
No Service Password-Recovery 是一个加强安全功能的命令,可以阻止任何从 console 口连接到路由器的人试图删除密码,而且可以防止修改配置寄存值以及进入 NVRAM 。
!
no service password-recovery
!
spanning-tree portfast
Use this feature . the interface,which is connected to an end devices,such as a workstation,Never use the PortFast feature . switch ports that connect to other switches, hubs, or routers.
在连接到终端设备的端口上打开这个功能,比如说工作站,千万不要使用在连接到其他交换机、集线器或者路由器的端口上。
!
spanning-tree portfast
!
Logging Level
Each log message that is generated by a Cisco IOS device is assigned .e of eight severities that range from level 0, Emergencies, through level 7, Debug. Unless specifically required, you are advised to avoid logging at level 7. Logging at level 7 produces an elevated CPU load . the device that can lead to device and network instability.
This configuration example limits log messages that are sent to remote syslog servers and the local log buffer to severities 6 (informational) through 0 (emergencies):
系统每次生成的 log 都会有一个相应的级别,从 0 到 7 。如果不是特别指明,请避免记录级别 7 ,这样会使得 CPU 使用增加,甚至导致设备和网络的稳定性。
!
logging trap 6
logging buffered 6
!
No logging console
With Cisco IOS software, it is possible to send log messages to monitor sessions, However, doing so can elevate the CPU load of an IOS device and therefore is not recommended.
Instead, you are advised to send logging information to the local log buffer, which can be viewed using the show logging command.
IOS 软件可以将 log 日志发送到屏幕,不过这样会增加 CPU 负载,所以不建议使用。建议发送日志到 log 缓冲区,使用 show logging 命令可以看到这些日志。
!
no logging console
no logging monitor
!
Use Buffered Logging
Cisco IOS software supports the use of a local log buffer so that an administrator can view locally generated log messages. The use of buffered logging is highly recommended versus logging to either the console or monitor sessions.
There are two configuration options that are relevant when configuring buffered logging: the logging buffer size and the message severities. This configuration example includes the configuration of a logging buffer of 16384 bytes, as well as a severity of 6,indicating that messages at levels 0 through 6 is stored:
IOS 软件支持使用本地 log 缓冲,这样管理员可以在本地产看日志消息。强烈建议使用这个选项而不是将 log 日志发送到 console 或者屏幕。有两个配置选项,一个是 log 日志的大小,另外一个是记录级别。配置例子里是将 log 缓冲设置成 16384 字节,记录级别是 0 到 6 。
!
logging buffered 16384
logging buffered 6
!
Configure Logging Source Interface
In order to provide an increased level of consistency when collecting and reviewing log messages, you are advised to statically configure a logging source interface. For added stability, you are advised to use a loopback interface as the logging source. This configuration example illustrates the use of the logging source−interface interface global configuration command to specify that the IP address of the loopback 0 interface be used for all log messages:
为了提高收集和查看 log 消息的一致性,建议配置一个静态的 logging 端口,使用内部环回端口作为 logging 端口更为稳定。
!
interface loopback 0
ip address <IP address> <submask>
logging source−interface Loopback 0
!
NetFlow
NetFlow identifies anomalous and security−related network activity by tracking network flows. Cisco Express Forwarding (CEF), or distributed CEF, is a prerequisite to enabling NetFlow. NetFlow can be configured . routers and switches.
NetFlow 通过记录网络流量来辨别反常和安全相关的网络行为。打开 CEF 是使用 NetFlow 的前提。 NetFlow 可以配置在交换机和路由器上。
!
ip flow−export destination <ip−address> <udp−port>
ip flow−export version <version>
!
interface <interface>
ip flow <ingess|egress>
!
EXEC Timeout
The exec−timeout command must be used in order to logout sessions . vty or tty lines that are left idle. By default, sessions are disconnected after 10 minutes of inactivity.
必须使用 exec−timeout 命令关闭空闲的会话。默认情况下,会话空闲 10 分钟后关闭。
!
line con 0
exec−timeout <minutes> [seconds]
line vty 0 4
exec−timeout <minutes> [seconds]
!
Keepalives for TCP Sessions
The service tcp−keepalive−in and service tcp−keepalive−out global configuration commands enable a device to send TCP keepalives for TCP sessions. This ensures that the device . the remote end of the connection is still accessible.
service tcp−keepalive−in 和 tcp−keepalive−out 全局命令保证和远端设备的链接是有效的。
!
service tcp−keepalive−in
service tcp−keepalive−out
!
Secure Shell Version 2 Support
The Secure Shell Version 2 Support feature allows you to configure Secure Shell.
Secure Shell 版本 2 功能可以配置使用 Secure Shell 。
!
hostname cncrouter
ip domain-name chinanetcloud.com
crypto key generate rsa modulus 2048
ip ssh version 2
ip ssh time-out 60
ip ssh authentication-retries 3
ip scp server enable
ip ssh source-interface fa0/0 (or whatever)
line vty 0 4
transport input ssh
!
Configure Logging Timestamps
The configuration of logging timestamps helps you correlate events across network devices. Logging timestamps should be configured to include the date and time with millisecond precision and to include the time zone in use . the device.
logging timestamps 可以帮助你辨别设备事件,配置时间应该精确到毫秒而且必须使用时区。
!
clock timezone GMT +8
service timestamps log datetime msec localtime show-timezone
service timestamps debug datetime msec localtime show-timezone
!
Login Password Retry Lockout
The Login Password Retry Lockout feature, allows an you to lock out a local user account after a configured number of unsuccessful login attempts. .ce a user is locked out, their account is locked until you unlock it. An authorized user who is configured with privilege level 15 cannot be locked out with this feature. The number of users with privilege level 15 must be kept to a minimum.
Login Password Retry Lockout 功能可以使设备锁住一个指定多次内未成功登录的用户。一旦用户被锁住,需要手动解锁。但是拥有级别 15 的用户是不会被这个功能锁住的,所以拥有级别 15 的用户必须控制在最少人数。
!
aaa new−model
aaa local authentication attempts max−fail <max−attempts>
aaa authentication login default local
login block-for 120 attempts 5 within 60
!
username <name> secret <password>
!
No ip mask-reply
Ensure that the device is not configured to respond to ICMP mask requests.
保证设备不会响应ICMP mask 请求。
!
no ip mask-reply
!
No ip identd
Ensure that the identification service is not enabled.
保证鉴定服务关闭。
No ip directed-broadcast
Ensure that the device is not configured to allow IP directed broadcasts . any interface.
!
No ip directed-broadcast
!
No ip route-cache
Using the route cache is often called fast switching. The route cache allows outgoing packets to be load-balanced . a per-destination basis rather than . a per-packet basis. The no ip route-cache command disables fast switching.
使用路由缓冲又叫做快速交换。路由缓冲允许向外发送的数据包基于目的地址做负载均衡。
!
no ip route-cache
!
Memory Threshold Notifications
The feature Memory Threshold Notification, allows you to mitigate low−memory conditions . a device.
这个功能可以允许你减轻设备低内存的问题。
!
memory free low−watermark processor <threshold>
memory free low−watermark io <threshold>
!
Memory Reservation is used so that sufficient memory is available for critical notifications. This ensures that management processes continue to function when the memory of the device is exhausted.
Memory Reservation 用于保证关键的 notifications 能有充足的内存。这个功能保证即便设备的内存已经耗尽时管理进程仍然能继续。
!
memory reserve critical <value>
!
CPU Thresholding Notification
CPU Thresholding Notification feature allows you to detect and be notified when the CPU load . a device crosses a configured threshold.
当 CPU 负载超过一定的值的时候给予你通告。
!
snmp−server enable traps cpu threshold
!
snmp−server host <host−address> <community−string> cpu
!
process cpu threshold type <type> rising <percentage> interval <seconds> [falling <percent
process cpu statistics limit entry−percentage <number> [size <seconds>]
!
Reserve Memory for Console Access
Reserve Memory for Console Access feature can be used in order to reserve enough memory to ensure console access to a Cisco IOS device for administrative and troubleshooting purposes. This feature is especially beneficial when the device runs low . memory.
这个功能能为 console 留下充足的内存,保证为管理设备时或排错时能从 console 的进入。这个功能在设备低内存运行时尤为有效。
!
memory reserve console 4096
!
SNMP Community Strings
Community strings are passwords that are applied to an IOS device to restrict access, both read−only and read−write access, to the SNMP data . the device.
Community strings 是应用在 IOS 设备上的限制只读或者读写访问 SNMP 数据的密码。
!
snmp−server community READONLY RO
snmp−server community READWRITE RW
!
SNMP Community Strings with ACLs
In addition to the community string, an ACL should be applied that further restricts SNMP access to a select group of source IP addresses.
除了 community string 之外,使用 ACL 来做更进一步的限制对 SNMP 的读取。
!
access−list 98 permit 192.168.100.0 0.0.0.255
access−list 99 permit 192.168.100.1
!
snmp−server community READONLY RO 98
snmp−server community READWRITE RW 99
!
SNMP Views
SNMP Views are a security feature that can permit or deny access to certain SNMP MIBs.
SNMP Views 可以允许或者阻止对 SNMP MIB 的读取。
!
snmp−server view VIEW−SYSTEM−ONLY system include
!
snmp−server community LIMITED view VIEW−SYSTEM−ONLY RO
!
SNMP Version 3
SNMPv3 provides secure access to devices by authenticating and optionally encrypting packets over the network.
This command configures a Cisco IOS device for SNMPv3 with an SNMP server group AUTHGROUP and enables .ly authentication for this group by using the auth keyword:
!
snmp−server group AUTHGROUP v3 auth
!
This command configures a Cisco IOS device for SNMPv3 with an SNMP server group PRIVGROUP and enables both authentication and encryption for this group by using the priv keyword:
!
snmp−server group PRIVGROUP v3 priv
!
This command configures an SNMPv3 user snmpv3user with an MD5 authentication password of
authpassword and a 3DES encryption password of privpassword:
!
snmp−server user snmpv3user PRIVGROUP v3 auth md5 authpassword priv 3des privpassword
!
Disable AUX
In most situations, the AUX port of a device must be disabled to prevent unauthorized access. An AUX portcan be disabled using these commands:
大多数情况下, AUX 端口必须关闭以防止未经授权的进入。
!
line aux 0
transport input none
transport output none
no exec
exec−timeout 0 1
no password
!
Cisco IOS Software Configuration Management
This example illustrates the configuration of automatic configuration archiving.
这个例子演示了如何让系统自动存档。
!
archive
path disk0:archived−config
maximum 14
time−period 1440
write−memory
!
Exclusive Configuration Change Access
Exclusive Configuration Change Access feature ensures that .ly .e administrator makes configuration changes to a Cisco IOS device at a given time.
Exclusive Configuration Change Access 可以使得同一时刻只有一个管理员能更改系统配置。
!
configuration mode exclusive auto
!
Cisco IOS Software Resilient Configuration
The Resilient Configuration feature makes it possible to securely store a copy of the Cisco IOS software image and device configuration that is currently being used by a Cisco IOS device. When this feature is enabled, it is not possible to alter or remove these backup files.
Resilient Configuration 使得可能安全的保存系统当前使用的 IOS 文件和配置文件,当这个功能开启时,就不可能修改或者移动这些备份文件。
!
secure boot−image
secure boot−config
!
Configuration Change Notification and Logging
The Configuration Change Notification and Logging feature, makes it possible to log the configuration changes made to a Cisco IOS device. The log is maintained . the Cisco IOS device and contains the user information of the individual who made the change, the configuration command entered, and the time that the change was made.
Configuration Change Notification and Logging 可以记录配置文件修改的记录。这个 log 由 CISCO 设备维护,包含谁在什么时候使用了什么命令,做了什么修改。
!
archive
log config
logging enable
logging size 200
hidekeys
notify syslog
!
Unicast RPF
Unicast RPF enables a device to verify that the source address of a forwarded packet can be reached through the interface that received the packet.
Unicast RPF 使设备能从收到数据的端口验证数据包的源地址是否可达。
!
ip cef
!
interface <interface>
ip verify unicast source reachable−via <mode>
!
IP Source Guard
IP Source Guard uses information from DHCP snooping to dynamically configure a port access control list (PACL) . the Layer 2 interface, denying any traffic from IP addresses that are not associated in the IP source binding table.
IP Source Guard 使用 DHCP snooping 信息来动态的配置端口在数据链路层的访问控制,根据 IP Source 绑定表拒绝任何不在表内的数据流。
!
ip dhcp snooping
ip dhcp snooping vlan <vlan−range>
!
After DHCP snooping is enabled, these commands enable IPSG:
!
interface <interface−id>
ip verify source
!
Port Security
Port Security is used in order to mitigate MAC address spoofing at the access interface. Port Security can use dynamically learned (sticky) MAC addresses to ease in the initial configuration. .ce port security has determined a MAC violation, it can utilize .e of four violation modes. These modes are protect, restrict, shutdown, and shutdown VLAN.
Port Security 用于减轻在接入端口上的 MAC 地址 spoofing 。 Port Security 可以用于动态的学习 MAC 地址。一旦端口检测到 MAC 地址违反规则,就会采取四种违反模式。保护模式、限制模式、关闭端口或者关闭 VLAN 。
!
interface <interface>
switchport
switchport mode access
switchport port−security
switchport port−security mac−address sticky
switchport port−security maximum <number>
switchport port−security violation <violation−mode>
!
Dynamic ARP Inspection
Dynamic ARP Inspection (DAI) can be utilized to mitigate ARP poisoning attacks . local segments.
Dynamic ARP Inspection 可以用于减轻本地网段 ARP 欺骗攻击。
!
ip dhcp snooping
ip dhcp snooping vlan <vlan−range>
!
Cisco IOS Login Enhancements (Login Block)
The Cisco IOS Login Enhancements (Login Block) feature provides a way for you to better secure your Cisco IOS software-based device against possible malicious connection attempts. By enabling this feature, you can slow down "dictionary attacks" by enforcing a "quiet period" if multiple failed connection attempts are detected, thereby protecting the routing device from a type of denial-of-service attack.
Cisco IOS 登录增强功能提供一个使用软件实现更好的设备安全的方法,阻止可能存在的非善意的链接。使用这种功能后,如果检测到多个失败的链接,可以通过强制“安静时间”减慢“字典攻击”,从而避免路由设备遭受 Dos 攻击。
!
login delay
login .-failure log
login .-success log
!
Cisco VTP Vulnerability
Upon receiving a malformed VTP packet, certain devices may reload. The attack could be executed repeatedly causing a extended Denial of Service.
In order to successfully exploit this vulnerability, the attacker must know the VTP domain name, as well as send the malformed VTP packet to a port . the switch configured for trunking. Since there is no way to completely disable the VTP, the better way is to set the VTP mode to transparent in all devices and set VTP password as well.
有些设备在收到一种畸形的 VTP 包时会自动重启,这种攻击可以被重复执行从而导致 Dos 。要想成功的利用这种功能,攻击者必须知道 VTP 域名,同时还要将这种包发到交换机的 trunk 端口。不过由于不能关闭 VTP ,好一些的办法是设置 VTP 域名以及使用 VTP 密码。
!
vtp mode transparent
vtp password <password>
!
Spanning Tree Protocol Root Guard Enhancement
Any switch can be the root bridge in a network. With the standard STP, any bridge in the network with a lower bridge ID takes the role of the root bridge. The administrator cannot enforce the position of the root bridge.The administrator can set the root bridge priority to 0 in an effort to secure the root bridge position. But there is no guarantee against a bridge with a priority of 0 and a lower MAC address.
任何一个交换机都可能成为根交换机。根据标准 STP ,任何一个拥有更低的 bridge Id 的交换机都会成为根交换机。管理员不可以通过设置交换机的优先级 0 来确保交换机的根交换机的地位,但是不能保证出现一个交换机的优先级为 0 却拥有更低 MAC 地址的机器。
!
spanning-tree vlan <vlan num | vlan range> priority 0
!
!
spanning-tree guard root
!
MAC address-table notification
Use the mac address-table notification global configuration command to enable the MAC address notification feature . the switch.
This example shows how to enable the MAC address-table notification feature, set the interval time to 60 seconds, and set the history-size to 100 entries:
使用 mac address-table notification 全局命令打开交换机的 mac address notification 功能。例子显示了设置间隔时间 60 秒,历史记录大小为 100 个。
!
mac address-table notification
mac address-table notification interval 60
mac address-table notification history-size 100
!
Configuring Dynamic ARP Inspection
ARP provides IP communication within a Layer 2 broadcast domain by mapping an IP address to a MAC address. However, because ARP allows a gratuitous reply from a host even if an ARP request was not received, an ARP spoofing attack and the poisoning of ARP caches can occur. After the attack, all traffic from the device under attack flows through the attacker's computer and then to the router, switch, or host.
A malicious user can attack hosts, switches, and routers connected to your Layer 2 network by poisoning the ARP caches of systems connected to the subnet and by intercepting traffic intended for other hosts . the subnet.
ARP 使用广播将 IP 地址和 MAC 地址做映射,但是由于 ARP 允许没有理由的 ARP 回复,这样就可以存在 ARP 攻击或者欺骗。不怀好意的用户可以使用 ARP 欺骗攻击主机,交换机和连接到 2 层设备的路由器。
!
ip arp inspection vlan <vlan num | vlan range>
ip arp inspection log-buffer entries 1024
ip arp inspection log-buffer logs 1024 interval 10
ip arp inspection limit rate 15
!
We should trust . uplink interfaces by using this command:
我们必须相信在 uplink 口上的 ARP :
!
interface <interface>
ip arp inspection trust
!
Using Authentication, Authorization, and Accounting
The Authentication, Authorization, and Accounting (AAA) framework is critical to securing interactive access to network devices.
AAA框架用于保证设备端口访问安全。
!
aaa new-model
!
aaa authentication login default local
aaa authorization exec default local
!
As a security best practice, any unnecessary service must be disabled. These unneeded services, especially those that use UDP (User Datagram Protocol), are infrequently used for legitimate purposes, but can be used in order to launch DoS and other attacks that are otherwise prevented by packet filtering.
Issue the no ip finger global configuration command in order to disable Finger service.
实践中,所有不需要的服务都必须关掉。这些服务,特别是一些不常使用的使用 UDP 的服务,可以被用作发动 Dos 或者其他的攻击。
Issue the no ip finger global configuration command in order to disable finger service.
使用 no ip finger 全局配置命令来禁用 finger 服务。
!
no ip finger
!
Issue the no ip bootp server global configuration command in order to disable Bootstrap Protocol.
使用 no ip bootp server 全局配置命令禁用 Bootstrap 协议。
!
no ip bootp server
!
DHCP services can be disabled if DHCP relay services are not required. Issue the no service dhcp command in global configuration mode.
如果不需要 DHCP ,可以禁止 DHCP 服务。
!
no ip dhcp
!
Issue the no mop enabled command in interface configuration mode in order to disable the Maintenance Operation Protocol (MOP) service.
在端口配置模式中使用 no mop enabled 命令来禁止 MOP 服务。
!
no mop enabled
!
Issue the no ip domain−lookup global configuration command in order to disable Domain Name System (DNS) resolution services.
使用 no ip domain-lookup 全局配置命令禁止 DNS 解析服务。
!
no ip domain-lookup
!
Issue the no service pad command in global configuration mode in order to disable Packet Assembler/Disassembler (PAD) service, which is used for X.25 networks.
使用 no service pad 全局命令,禁用用于 X.25 的 PAD 服务。
!
no service pad
!
Issue no ip domain-lookup configuration command in order to disable Domain Name System resolution services.
使用 no ip domain-lookup 配置命令禁用 DNS 服务。
!
no ip domain-lookup
!
Issue no service tcp-small-servers no service udp-small-servers global configuration command to disable small services.
使用 no service tcp-small-servers no service udp-small-servers 全局配置命令关闭一些小服务。
!
no service tcp-small-servers
no service udp-small-servers
!
HTTP server can be disabled with the no ip http server command in global configuration mode, and Secure HTTP (HTTPS) server can be disabled with the no ip http secure−server global configuration command.
HTTP 服务可以用 no ip http server 全局命令,安全 HTTP ( HTTPS )服务可以用 no ip http secure-server 全局配置命令禁用。
!
no ip http server
no ip http secure-server
!
Unless Cisco IOS devices retrieve configurations from the network during startup, the no service config global configuration command must be used. This prevents the Cisco IOS device from attempting to locate a configuration file . the network using TFTP.
如果 Cisco 设备在启动的时候不是从网络中得到配置文件, no service config 命令必须使用。这个可以阻止 Cisco 设备试图从网络中得到配置文件。
!
no service config
!
Cisco Discovery Protocol (CDP) is a network protocol that is used in order to discover other CDP enabled devices for neighbor adjacency and network topology. CDP can be used by Network Management Systems (NMS) or during troubleshooting. CDP must be disabled . all interfaces that are connected to untrusted networks. This is accomplished with the no cdp enable interface command. Alternatively, CDP can be disabled globally with the no cdp run global configuration command. Note that CDP can be used by a malicious user for reconnaissance and network mapping.
CDP 是一个用于发现网络内邻居的协议, CDP 可以用于网络管理系统或者在排错的时候使用。如果设备连接着一个不信任的网络, CDP 必须关闭。这可以在端口上使用 no cdp enable 实现或者使用全局命令 no cdp run 实现。小心 CDP 可以被不善意的用户用于发现网络拓扑。
!
no cdp run
!
Link Layer Discovery Protocol (LLDP) is an IEEE protocol that is defined in 802.1AB. LLDP is similar to CDP. In order to disable this feature, issue the no lldp transmit and no lldp receive interface configuration commands. Issue the no lldp run global configuration command in order to disable LLDP globally.
LLDP 是一个 IEEE 协议,在 802.1AB 中定义。 LLDP 和 CDP 类似。在端口上使用 no lldp transmit 或 no lldp receive 命令禁用这个功能,或者 no lldp run 全局命令关闭。
!
no lldp run
!
Other security options
Ensure that the device is configured to not send ICMP redirect messages.
确保设备不发送 ICMP 重定向消息。
!
no ip redirect
!
Ensure that the device is configured to not send ICMP unreachable messages.
确保设备不发送 ICMP 不可达消息。
!
no ip unreachable
!
Ensure that the proxy ARP service is not enabled . any interface.
确保设备的每个端口上 proxy ARP 服务都没有打开。
!
no ip proxy-arp
!
Drop all packets with IP options set.
丢弃任何设置了 IP 选项的包。
!
ip options drop
!
Ensure that the device is not forwarding IP packets with the source routing option in the header.
确保设备不转发头部设置了 IP 源路由选项的包。
!
no ip source-route
!
Turn off UDP broadcast.
关闭 UDP 广播。
!
no ip forward-protocol
!
Security passwords min-length, To ensure that all configured passwords are at least a specified length.
安全密码的最小长度,保证配置的密码最少不能少于指定长度。
!
security passwords min-length length
!
Security authentication failure rate, To configure the number of allowable unsuccessful login attempts.
安全认证失败速率,指定不成功的登录速率。
!
security authentication failure rate <threshold-rate> log
!
Limiting Messages to a Syslog Server.
限制 log 级别。
!
logging trap level
!
Disable no gratuitous ARP request.
关闭没有必要的 ARP 请求。
!
no ip gratuitous-arps
!
Turn VLAN1 off.
关闭 VLAN 1 。
!
interface vlan 1
shutdown
!
Set encapsulation . all trunk ports
每个 trunk 都要设置封装。
!
switchport trunk encapsulation dot1q
!
Set all trunk ports to no channel-group
将 trunk 端口设置 no channel-group 。
!
no channel-group
!
Disable IP Source Routing
关闭 IP 源路由。
!
no ip source−route
!
介绍
This document lists all the option that is recommended to help you secure your CISCO IOS system devices,which increases the overall security of your network
这篇文档包含了建议你使用的一些安全选项,旨在帮助你加强使用 CISCO IOS 系统的设备的安全性,从整体上整体加强网路安全。
service sequence-numbers
Each system status messages logged in the system logging process have a sequence reference number applied. This command makes that number visible by displaying it with the message. The sequence number is displayed as the first part of the system status message.
每个记录的系统状态信息在进行记录的时候都会有一个对应的序列号。这个命令可以使在显示这条记录的时候显示这个序列号。这个序列号在每条记录的最前面。
!
service sequence-numbers
!
clock set
Generally, if the system is synchronized by a valid outside timing mechanism, such as a Network Time Protocol (NTP) or VINES clock source, or if you have a router with a hardware clock, you need not set the software clock. Use this command if no other time sources are available. The time specified in this command is assumed to be in the time zone specified by the configuration of the clock timezone command.
一般的,如果系统时间可以使用外部可用的 NTP 或者 VINES 时钟,或者你的路由器有个一硬件时钟,你不需要自己设置时钟。但是如果没有这些时钟,下面的命令可以指定系统时钟。
!
clock set hh:mm:ss day month year
!
clock timezone
To set the time zone for display purposes, use the clock timezone command in global configuration mode.
使用下面的命令设置时区。
!
clock timezone GMT +8
!
No Service Password-Recovery
The No Service Password-Recovery feature is a security enhancement that prevents anyone with console access from accessing the router configuration and clearing the password. It also prevents anyone from changing the configuration register values and accessing NVRAM.
No Service Password-Recovery 是一个加强安全功能的命令,可以阻止任何从 console 口连接到路由器的人试图删除密码,而且可以防止修改配置寄存值以及进入 NVRAM 。
!
no service password-recovery
!
spanning-tree portfast
Use this feature . the interface,which is connected to an end devices,such as a workstation,Never use the PortFast feature . switch ports that connect to other switches, hubs, or routers.
在连接到终端设备的端口上打开这个功能,比如说工作站,千万不要使用在连接到其他交换机、集线器或者路由器的端口上。
!
spanning-tree portfast
!
Logging Level
Each log message that is generated by a Cisco IOS device is assigned .e of eight severities that range from level 0, Emergencies, through level 7, Debug. Unless specifically required, you are advised to avoid logging at level 7. Logging at level 7 produces an elevated CPU load . the device that can lead to device and network instability.
This configuration example limits log messages that are sent to remote syslog servers and the local log buffer to severities 6 (informational) through 0 (emergencies):
系统每次生成的 log 都会有一个相应的级别,从 0 到 7 。如果不是特别指明,请避免记录级别 7 ,这样会使得 CPU 使用增加,甚至导致设备和网络的稳定性。
!
logging trap 6
logging buffered 6
!
No logging console
With Cisco IOS software, it is possible to send log messages to monitor sessions, However, doing so can elevate the CPU load of an IOS device and therefore is not recommended.
Instead, you are advised to send logging information to the local log buffer, which can be viewed using the show logging command.
IOS 软件可以将 log 日志发送到屏幕,不过这样会增加 CPU 负载,所以不建议使用。建议发送日志到 log 缓冲区,使用 show logging 命令可以看到这些日志。
!
no logging console
no logging monitor
!
Use Buffered Logging
Cisco IOS software supports the use of a local log buffer so that an administrator can view locally generated log messages. The use of buffered logging is highly recommended versus logging to either the console or monitor sessions.
There are two configuration options that are relevant when configuring buffered logging: the logging buffer size and the message severities. This configuration example includes the configuration of a logging buffer of 16384 bytes, as well as a severity of 6,indicating that messages at levels 0 through 6 is stored:
IOS 软件支持使用本地 log 缓冲,这样管理员可以在本地产看日志消息。强烈建议使用这个选项而不是将 log 日志发送到 console 或者屏幕。有两个配置选项,一个是 log 日志的大小,另外一个是记录级别。配置例子里是将 log 缓冲设置成 16384 字节,记录级别是 0 到 6 。
!
logging buffered 16384
logging buffered 6
!
Configure Logging Source Interface
In order to provide an increased level of consistency when collecting and reviewing log messages, you are advised to statically configure a logging source interface. For added stability, you are advised to use a loopback interface as the logging source. This configuration example illustrates the use of the logging source−interface interface global configuration command to specify that the IP address of the loopback 0 interface be used for all log messages:
为了提高收集和查看 log 消息的一致性,建议配置一个静态的 logging 端口,使用内部环回端口作为 logging 端口更为稳定。
!
interface loopback 0
ip address <IP address> <submask>
logging source−interface Loopback 0
!
NetFlow
NetFlow identifies anomalous and security−related network activity by tracking network flows. Cisco Express Forwarding (CEF), or distributed CEF, is a prerequisite to enabling NetFlow. NetFlow can be configured . routers and switches.
NetFlow 通过记录网络流量来辨别反常和安全相关的网络行为。打开 CEF 是使用 NetFlow 的前提。 NetFlow 可以配置在交换机和路由器上。
!
ip flow−export destination <ip−address> <udp−port>
ip flow−export version <version>
!
interface <interface>
ip flow <ingess|egress>
!
EXEC Timeout
The exec−timeout command must be used in order to logout sessions . vty or tty lines that are left idle. By default, sessions are disconnected after 10 minutes of inactivity.
必须使用 exec−timeout 命令关闭空闲的会话。默认情况下,会话空闲 10 分钟后关闭。
!
line con 0
exec−timeout <minutes> [seconds]
line vty 0 4
exec−timeout <minutes> [seconds]
!
Keepalives for TCP Sessions
The service tcp−keepalive−in and service tcp−keepalive−out global configuration commands enable a device to send TCP keepalives for TCP sessions. This ensures that the device . the remote end of the connection is still accessible.
service tcp−keepalive−in 和 tcp−keepalive−out 全局命令保证和远端设备的链接是有效的。
!
service tcp−keepalive−in
service tcp−keepalive−out
!
Secure Shell Version 2 Support
The Secure Shell Version 2 Support feature allows you to configure Secure Shell.
Secure Shell 版本 2 功能可以配置使用 Secure Shell 。
!
hostname cncrouter
ip domain-name chinanetcloud.com
crypto key generate rsa modulus 2048
ip ssh version 2
ip ssh time-out 60
ip ssh authentication-retries 3
ip scp server enable
ip ssh source-interface fa0/0 (or whatever)
line vty 0 4
transport input ssh
!
Configure Logging Timestamps
The configuration of logging timestamps helps you correlate events across network devices. Logging timestamps should be configured to include the date and time with millisecond precision and to include the time zone in use . the device.
logging timestamps 可以帮助你辨别设备事件,配置时间应该精确到毫秒而且必须使用时区。
!
clock timezone GMT +8
service timestamps log datetime msec localtime show-timezone
service timestamps debug datetime msec localtime show-timezone
!
Login Password Retry Lockout
The Login Password Retry Lockout feature, allows an you to lock out a local user account after a configured number of unsuccessful login attempts. .ce a user is locked out, their account is locked until you unlock it. An authorized user who is configured with privilege level 15 cannot be locked out with this feature. The number of users with privilege level 15 must be kept to a minimum.
Login Password Retry Lockout 功能可以使设备锁住一个指定多次内未成功登录的用户。一旦用户被锁住,需要手动解锁。但是拥有级别 15 的用户是不会被这个功能锁住的,所以拥有级别 15 的用户必须控制在最少人数。
!
aaa new−model
aaa local authentication attempts max−fail <max−attempts>
aaa authentication login default local
login block-for 120 attempts 5 within 60
!
username <name> secret <password>
!
No ip mask-reply
Ensure that the device is not configured to respond to ICMP mask requests.
保证设备不会响应ICMP mask 请求。
!
no ip mask-reply
!
No ip identd
Ensure that the identification service is not enabled.
保证鉴定服务关闭。
No ip directed-broadcast
Ensure that the device is not configured to allow IP directed broadcasts . any interface.
!
No ip directed-broadcast
!
No ip route-cache
Using the route cache is often called fast switching. The route cache allows outgoing packets to be load-balanced . a per-destination basis rather than . a per-packet basis. The no ip route-cache command disables fast switching.
使用路由缓冲又叫做快速交换。路由缓冲允许向外发送的数据包基于目的地址做负载均衡。
!
no ip route-cache
!
Memory Threshold Notifications
The feature Memory Threshold Notification, allows you to mitigate low−memory conditions . a device.
这个功能可以允许你减轻设备低内存的问题。
!
memory free low−watermark processor <threshold>
memory free low−watermark io <threshold>
!
Memory Reservation is used so that sufficient memory is available for critical notifications. This ensures that management processes continue to function when the memory of the device is exhausted.
Memory Reservation 用于保证关键的 notifications 能有充足的内存。这个功能保证即便设备的内存已经耗尽时管理进程仍然能继续。
!
memory reserve critical <value>
!
CPU Thresholding Notification
CPU Thresholding Notification feature allows you to detect and be notified when the CPU load . a device crosses a configured threshold.
当 CPU 负载超过一定的值的时候给予你通告。
!
snmp−server enable traps cpu threshold
!
snmp−server host <host−address> <community−string> cpu
!
process cpu threshold type <type> rising <percentage> interval <seconds> [falling <percent
process cpu statistics limit entry−percentage <number> [size <seconds>]
!
Reserve Memory for Console Access
Reserve Memory for Console Access feature can be used in order to reserve enough memory to ensure console access to a Cisco IOS device for administrative and troubleshooting purposes. This feature is especially beneficial when the device runs low . memory.
这个功能能为 console 留下充足的内存,保证为管理设备时或排错时能从 console 的进入。这个功能在设备低内存运行时尤为有效。
!
memory reserve console 4096
!
SNMP Community Strings
Community strings are passwords that are applied to an IOS device to restrict access, both read−only and read−write access, to the SNMP data . the device.
Community strings 是应用在 IOS 设备上的限制只读或者读写访问 SNMP 数据的密码。
!
snmp−server community READONLY RO
snmp−server community READWRITE RW
!
SNMP Community Strings with ACLs
In addition to the community string, an ACL should be applied that further restricts SNMP access to a select group of source IP addresses.
除了 community string 之外,使用 ACL 来做更进一步的限制对 SNMP 的读取。
!
access−list 98 permit 192.168.100.0 0.0.0.255
access−list 99 permit 192.168.100.1
!
snmp−server community READONLY RO 98
snmp−server community READWRITE RW 99
!
SNMP Views
SNMP Views are a security feature that can permit or deny access to certain SNMP MIBs.
SNMP Views 可以允许或者阻止对 SNMP MIB 的读取。
!
snmp−server view VIEW−SYSTEM−ONLY system include
!
snmp−server community LIMITED view VIEW−SYSTEM−ONLY RO
!
SNMP Version 3
SNMPv3 provides secure access to devices by authenticating and optionally encrypting packets over the network.
This command configures a Cisco IOS device for SNMPv3 with an SNMP server group AUTHGROUP and enables .ly authentication for this group by using the auth keyword:
!
snmp−server group AUTHGROUP v3 auth
!
This command configures a Cisco IOS device for SNMPv3 with an SNMP server group PRIVGROUP and enables both authentication and encryption for this group by using the priv keyword:
!
snmp−server group PRIVGROUP v3 priv
!
This command configures an SNMPv3 user snmpv3user with an MD5 authentication password of
authpassword and a 3DES encryption password of privpassword:
!
snmp−server user snmpv3user PRIVGROUP v3 auth md5 authpassword priv 3des privpassword
!
Disable AUX
In most situations, the AUX port of a device must be disabled to prevent unauthorized access. An AUX portcan be disabled using these commands:
大多数情况下, AUX 端口必须关闭以防止未经授权的进入。
!
line aux 0
transport input none
transport output none
no exec
exec−timeout 0 1
no password
!
Cisco IOS Software Configuration Management
This example illustrates the configuration of automatic configuration archiving.
这个例子演示了如何让系统自动存档。
!
archive
path disk0:archived−config
maximum 14
time−period 1440
write−memory
!
Exclusive Configuration Change Access
Exclusive Configuration Change Access feature ensures that .ly .e administrator makes configuration changes to a Cisco IOS device at a given time.
Exclusive Configuration Change Access 可以使得同一时刻只有一个管理员能更改系统配置。
!
configuration mode exclusive auto
!
Cisco IOS Software Resilient Configuration
The Resilient Configuration feature makes it possible to securely store a copy of the Cisco IOS software image and device configuration that is currently being used by a Cisco IOS device. When this feature is enabled, it is not possible to alter or remove these backup files.
Resilient Configuration 使得可能安全的保存系统当前使用的 IOS 文件和配置文件,当这个功能开启时,就不可能修改或者移动这些备份文件。
!
secure boot−image
secure boot−config
!
Configuration Change Notification and Logging
The Configuration Change Notification and Logging feature, makes it possible to log the configuration changes made to a Cisco IOS device. The log is maintained . the Cisco IOS device and contains the user information of the individual who made the change, the configuration command entered, and the time that the change was made.
Configuration Change Notification and Logging 可以记录配置文件修改的记录。这个 log 由 CISCO 设备维护,包含谁在什么时候使用了什么命令,做了什么修改。
!
archive
log config
logging enable
logging size 200
hidekeys
notify syslog
!
Unicast RPF
Unicast RPF enables a device to verify that the source address of a forwarded packet can be reached through the interface that received the packet.
Unicast RPF 使设备能从收到数据的端口验证数据包的源地址是否可达。
!
ip cef
!
interface <interface>
ip verify unicast source reachable−via <mode>
!
IP Source Guard
IP Source Guard uses information from DHCP snooping to dynamically configure a port access control list (PACL) . the Layer 2 interface, denying any traffic from IP addresses that are not associated in the IP source binding table.
IP Source Guard 使用 DHCP snooping 信息来动态的配置端口在数据链路层的访问控制,根据 IP Source 绑定表拒绝任何不在表内的数据流。
!
ip dhcp snooping
ip dhcp snooping vlan <vlan−range>
!
After DHCP snooping is enabled, these commands enable IPSG:
!
interface <interface−id>
ip verify source
!
Port Security
Port Security is used in order to mitigate MAC address spoofing at the access interface. Port Security can use dynamically learned (sticky) MAC addresses to ease in the initial configuration. .ce port security has determined a MAC violation, it can utilize .e of four violation modes. These modes are protect, restrict, shutdown, and shutdown VLAN.
Port Security 用于减轻在接入端口上的 MAC 地址 spoofing 。 Port Security 可以用于动态的学习 MAC 地址。一旦端口检测到 MAC 地址违反规则,就会采取四种违反模式。保护模式、限制模式、关闭端口或者关闭 VLAN 。
!
interface <interface>
switchport
switchport mode access
switchport port−security
switchport port−security mac−address sticky
switchport port−security maximum <number>
switchport port−security violation <violation−mode>
!
Dynamic ARP Inspection
Dynamic ARP Inspection (DAI) can be utilized to mitigate ARP poisoning attacks . local segments.
Dynamic ARP Inspection 可以用于减轻本地网段 ARP 欺骗攻击。
!
ip dhcp snooping
ip dhcp snooping vlan <vlan−range>
!
Cisco IOS Login Enhancements (Login Block)
The Cisco IOS Login Enhancements (Login Block) feature provides a way for you to better secure your Cisco IOS software-based device against possible malicious connection attempts. By enabling this feature, you can slow down "dictionary attacks" by enforcing a "quiet period" if multiple failed connection attempts are detected, thereby protecting the routing device from a type of denial-of-service attack.
Cisco IOS 登录增强功能提供一个使用软件实现更好的设备安全的方法,阻止可能存在的非善意的链接。使用这种功能后,如果检测到多个失败的链接,可以通过强制“安静时间”减慢“字典攻击”,从而避免路由设备遭受 Dos 攻击。
!
login delay
login .-failure log
login .-success log
!
Cisco VTP Vulnerability
Upon receiving a malformed VTP packet, certain devices may reload. The attack could be executed repeatedly causing a extended Denial of Service.
In order to successfully exploit this vulnerability, the attacker must know the VTP domain name, as well as send the malformed VTP packet to a port . the switch configured for trunking. Since there is no way to completely disable the VTP, the better way is to set the VTP mode to transparent in all devices and set VTP password as well.
有些设备在收到一种畸形的 VTP 包时会自动重启,这种攻击可以被重复执行从而导致 Dos 。要想成功的利用这种功能,攻击者必须知道 VTP 域名,同时还要将这种包发到交换机的 trunk 端口。不过由于不能关闭 VTP ,好一些的办法是设置 VTP 域名以及使用 VTP 密码。
!
vtp mode transparent
vtp password <password>
!
Spanning Tree Protocol Root Guard Enhancement
Any switch can be the root bridge in a network. With the standard STP, any bridge in the network with a lower bridge ID takes the role of the root bridge. The administrator cannot enforce the position of the root bridge.The administrator can set the root bridge priority to 0 in an effort to secure the root bridge position. But there is no guarantee against a bridge with a priority of 0 and a lower MAC address.
任何一个交换机都可能成为根交换机。根据标准 STP ,任何一个拥有更低的 bridge Id 的交换机都会成为根交换机。管理员不可以通过设置交换机的优先级 0 来确保交换机的根交换机的地位,但是不能保证出现一个交换机的优先级为 0 却拥有更低 MAC 地址的机器。
!
spanning-tree vlan <vlan num | vlan range> priority 0
!
!
spanning-tree guard root
!
MAC address-table notification
Use the mac address-table notification global configuration command to enable the MAC address notification feature . the switch.
This example shows how to enable the MAC address-table notification feature, set the interval time to 60 seconds, and set the history-size to 100 entries:
使用 mac address-table notification 全局命令打开交换机的 mac address notification 功能。例子显示了设置间隔时间 60 秒,历史记录大小为 100 个。
!
mac address-table notification
mac address-table notification interval 60
mac address-table notification history-size 100
!
Configuring Dynamic ARP Inspection
ARP provides IP communication within a Layer 2 broadcast domain by mapping an IP address to a MAC address. However, because ARP allows a gratuitous reply from a host even if an ARP request was not received, an ARP spoofing attack and the poisoning of ARP caches can occur. After the attack, all traffic from the device under attack flows through the attacker's computer and then to the router, switch, or host.
A malicious user can attack hosts, switches, and routers connected to your Layer 2 network by poisoning the ARP caches of systems connected to the subnet and by intercepting traffic intended for other hosts . the subnet.
ARP 使用广播将 IP 地址和 MAC 地址做映射,但是由于 ARP 允许没有理由的 ARP 回复,这样就可以存在 ARP 攻击或者欺骗。不怀好意的用户可以使用 ARP 欺骗攻击主机,交换机和连接到 2 层设备的路由器。
!
ip arp inspection vlan <vlan num | vlan range>
ip arp inspection log-buffer entries 1024
ip arp inspection log-buffer logs 1024 interval 10
ip arp inspection limit rate 15
!
We should trust . uplink interfaces by using this command:
我们必须相信在 uplink 口上的 ARP :
!
interface <interface>
ip arp inspection trust
!
Using Authentication, Authorization, and Accounting
The Authentication, Authorization, and Accounting (AAA) framework is critical to securing interactive access to network devices.
AAA框架用于保证设备端口访问安全。
!
aaa new-model
!
aaa authentication login default local
aaa authorization exec default local
!
As a security best practice, any unnecessary service must be disabled. These unneeded services, especially those that use UDP (User Datagram Protocol), are infrequently used for legitimate purposes, but can be used in order to launch DoS and other attacks that are otherwise prevented by packet filtering.
Issue the no ip finger global configuration command in order to disable Finger service.
实践中,所有不需要的服务都必须关掉。这些服务,特别是一些不常使用的使用 UDP 的服务,可以被用作发动 Dos 或者其他的攻击。
Issue the no ip finger global configuration command in order to disable finger service.
使用 no ip finger 全局配置命令来禁用 finger 服务。
!
no ip finger
!
Issue the no ip bootp server global configuration command in order to disable Bootstrap Protocol.
使用 no ip bootp server 全局配置命令禁用 Bootstrap 协议。
!
no ip bootp server
!
DHCP services can be disabled if DHCP relay services are not required. Issue the no service dhcp command in global configuration mode.
如果不需要 DHCP ,可以禁止 DHCP 服务。
!
no ip dhcp
!
Issue the no mop enabled command in interface configuration mode in order to disable the Maintenance Operation Protocol (MOP) service.
在端口配置模式中使用 no mop enabled 命令来禁止 MOP 服务。
!
no mop enabled
!
Issue the no ip domain−lookup global configuration command in order to disable Domain Name System (DNS) resolution services.
使用 no ip domain-lookup 全局配置命令禁止 DNS 解析服务。
!
no ip domain-lookup
!
Issue the no service pad command in global configuration mode in order to disable Packet Assembler/Disassembler (PAD) service, which is used for X.25 networks.
使用 no service pad 全局命令,禁用用于 X.25 的 PAD 服务。
!
no service pad
!
Issue no ip domain-lookup configuration command in order to disable Domain Name System resolution services.
使用 no ip domain-lookup 配置命令禁用 DNS 服务。
!
no ip domain-lookup
!
Issue no service tcp-small-servers no service udp-small-servers global configuration command to disable small services.
使用 no service tcp-small-servers no service udp-small-servers 全局配置命令关闭一些小服务。
!
no service tcp-small-servers
no service udp-small-servers
!
HTTP server can be disabled with the no ip http server command in global configuration mode, and Secure HTTP (HTTPS) server can be disabled with the no ip http secure−server global configuration command.
HTTP 服务可以用 no ip http server 全局命令,安全 HTTP ( HTTPS )服务可以用 no ip http secure-server 全局配置命令禁用。
!
no ip http server
no ip http secure-server
!
Unless Cisco IOS devices retrieve configurations from the network during startup, the no service config global configuration command must be used. This prevents the Cisco IOS device from attempting to locate a configuration file . the network using TFTP.
如果 Cisco 设备在启动的时候不是从网络中得到配置文件, no service config 命令必须使用。这个可以阻止 Cisco 设备试图从网络中得到配置文件。
!
no service config
!
Cisco Discovery Protocol (CDP) is a network protocol that is used in order to discover other CDP enabled devices for neighbor adjacency and network topology. CDP can be used by Network Management Systems (NMS) or during troubleshooting. CDP must be disabled . all interfaces that are connected to untrusted networks. This is accomplished with the no cdp enable interface command. Alternatively, CDP can be disabled globally with the no cdp run global configuration command. Note that CDP can be used by a malicious user for reconnaissance and network mapping.
CDP 是一个用于发现网络内邻居的协议, CDP 可以用于网络管理系统或者在排错的时候使用。如果设备连接着一个不信任的网络, CDP 必须关闭。这可以在端口上使用 no cdp enable 实现或者使用全局命令 no cdp run 实现。小心 CDP 可以被不善意的用户用于发现网络拓扑。
!
no cdp run
!
Link Layer Discovery Protocol (LLDP) is an IEEE protocol that is defined in 802.1AB. LLDP is similar to CDP. In order to disable this feature, issue the no lldp transmit and no lldp receive interface configuration commands. Issue the no lldp run global configuration command in order to disable LLDP globally.
LLDP 是一个 IEEE 协议,在 802.1AB 中定义。 LLDP 和 CDP 类似。在端口上使用 no lldp transmit 或 no lldp receive 命令禁用这个功能,或者 no lldp run 全局命令关闭。
!
no lldp run
!
Other security options
Ensure that the device is configured to not send ICMP redirect messages.
确保设备不发送 ICMP 重定向消息。
!
no ip redirect
!
Ensure that the device is configured to not send ICMP unreachable messages.
确保设备不发送 ICMP 不可达消息。
!
no ip unreachable
!
Ensure that the proxy ARP service is not enabled . any interface.
确保设备的每个端口上 proxy ARP 服务都没有打开。
!
no ip proxy-arp
!
Drop all packets with IP options set.
丢弃任何设置了 IP 选项的包。
!
ip options drop
!
Ensure that the device is not forwarding IP packets with the source routing option in the header.
确保设备不转发头部设置了 IP 源路由选项的包。
!
no ip source-route
!
Turn off UDP broadcast.
关闭 UDP 广播。
!
no ip forward-protocol
!
Security passwords min-length, To ensure that all configured passwords are at least a specified length.
安全密码的最小长度,保证配置的密码最少不能少于指定长度。
!
security passwords min-length length
!
Security authentication failure rate, To configure the number of allowable unsuccessful login attempts.
安全认证失败速率,指定不成功的登录速率。
!
security authentication failure rate <threshold-rate> log
!
Limiting Messages to a Syslog Server.
限制 log 级别。
!
logging trap level
!
Disable no gratuitous ARP request.
关闭没有必要的 ARP 请求。
!
no ip gratuitous-arps
!
Turn VLAN1 off.
关闭 VLAN 1 。
!
interface vlan 1
shutdown
!
Set encapsulation . all trunk ports
每个 trunk 都要设置封装。
!
switchport trunk encapsulation dot1q
!
Set all trunk ports to no channel-group
将 trunk 端口设置 no channel-group 。
!
no channel-group
!
Disable IP Source Routing
关闭 IP 源路由。
!
no ip source−route
!
本文转自 justiceplus 51CTO博客,原文链接:http://blog.51cto.com/johnwang/129062,如需转载请自行联系原作者